Superuser Privilege Management

Implement a least-privilege security model for Linux and UNIX systems with flexible, role-based controls that protect privileged operations while still granting users the privileges they need to perform their job

The Challenge

A superuser account is any administrative account that grants full access to an operating system or application such as a database. On Linux and UNIX platforms, system accounts such as root or service accounts such as oracle are needed for installation, configuration, administration and management tasks. But as Gartner (Research Report ID# G00130427) has noted, Linux and UNIX systems inherently lack a scalable and simple model for administrative delegation. In many organizations Linux and UNIX personnel - such as system administrators, DBAs, backup operators and help desk staff - are routinely given increased privileges to accomplish even narrowly focused administrative tasks such as performing backups or managing a web site.

Organizations are becoming increasing aware of the risk that such broad administrative grants pose for potential theft of corporate IP, insider attacks, or even inadvertent changes that adversely affect systems or data. But alternatives such as sudo are frequently so complex to manage that some organizations simply live with the exposure because they have no practical way to limit privileges without hindering users in performing necessary administrative tasks.

The Centrify Solution

The Centrify Suite provides a single, unified privilege management solution across more than 225 Linux and UNIX platforms. Instead of relying on complex scripting, proprietary databases, or expensive server architectures, Centrify joins your Linux and UNIX systems to your existing Active Directory infrastructure. You can then model Linux and UNIX user roles within Active Directory and apply those roles to the existing Active Directory identities. With the Centrify Suite you can:

  • Associate all rights with centrally managed Active Directory accounts and groups, ensuring unambiguous accountability and simplifying rights management
  • Grant users rights to execute commands with elevated privileges, eliminating the need for access to privileged accounts and passwords
  • Assign users a Restricted Environment with access only to a specific "whitelist" of commands
  • Simplify the execution of privileged commands for users
  • Lock down sensitive systems with fine-grained access controls that specify who can access a system and how
  • Set time windows when a role can access a system, and set time periods when a role assignment is active, including temporary assignments scoped to individual computers

Learn More

On-Demand WebinarImplementing Least-Privilege Security Management in Complex Linux and UNIX Environments
On-Demand WebinarBeyond Authentication: Using Centrify DirectAuthorize for Fine-Grained Access Control and Privilege Management on UNIX & Linux
Video ChalktalkIntroducing DirectAuthorize Part 1: Concepts & Features
Video ChalktalkIntroducing DirectAuthorize Part 2: Architecture & Advanced Features
Blog PostSuperuser Privilege Management

Next Steps

The DirectControl MIIS Management Agent is a great example of how Centrify enables customers to get more value out of their investment in Active Directory and MIIS.

Michael Stephenson
Director
Windows Server Division
Microsoft Corp.